Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Configuring the Proxy Server to Handle Client Authentication with Digital Certificates

The certificate mapping file determines how a server should look up a user entry in the LDAP directory. You edit this file and add entries to match the organization of your LDAP directory and to list the certificates you want your users to have. This is achieved with the certmap.conf file. This file, located at server_root/userdb, can be edited and entries added to match the organization of your LDAP directory and to list the certificates you want your users to have.

Specifically, the mapping file defines:

  • Where in the LDAP tree the server should begin its search

  • Which certificate attributes the server should use as search criteria when searching for the entry in the LDAP directory

  • Whether the server goes through an additional verification process

The following example configures the certmap.conf file so the Proxy Server can begin its search in the LDAP tree.

  1. Modify the cert.map.conf file.

  2. Refer to the notes in the file for references to the proper configuration.

  3. To enable the feature, modify the magnus.conf file.

  4. The magnus.conf file is located in server/root/proxy-<\instance/config. A variable with two possible values (ON/OFF) has been added. This feature is disabled (OFF) by default. Use the following syntax:

  5. CertificateChecking ON

To Restrict Access

  1. Open a browser and go to http://myproxy.sun.com:81.

  2. You will be prompted for a user ID and password. Enter the user ID proxyadmin and the password selected during the installation (for example, sun1ProxySvr).

  3. Select the Secure-Reverse Proxy instance.

  4. Click the Restrict Access link in the menu.

  5. Select Entire Server from the drop-down box.

  6. Turn access control off or on for the entire server by clicking either Turn off access control or Turn on access control.

  7. Turning on access control causes more access control settings to appear on your screen.

    For both Read and Write access, set the default access to Allow or Deny.

    NOTE

    Read access allows a user only to view the file. Write access allows the user to change or delete the file, assuming the user also has access to the file through your server computer's operating system. (Technically, Read includes these HTTP methods: GET, HEAD, POST, and INDEX. Write includes PUT, DELETE, MKDIR, RMDIR, and MOVE.)

  8. Specify which users are the exceptions to the default access for each access type by clicking the appropriate Permissions button.

  9. For this example, the permissions are set to Deny for both Read and Write access.

    1. Click the Permissions button for Read access.

      1. Supply the appropriate information:

      2. Users: proxyadmin
        Authentication Method: Client certificate (SSL)

        Leave all other options set to the default values.

      3. Click Done.

      4. Click OK in the main restrict access window.

      5. Click Save and Apply.

      6. This will ensure that the changes are recognized by the Proxy Server and restart the proxy instance to ensure that the changes take effect immediately.

    2. Verify Reverse Proxy configuration via SSL authentication using client certificates.

      1. Open a browser and access the proxy server. In this example, enter:

      2. https://myproxy.sun.com

        The proxy will request a client certificate from the browser. Provide the certificate that you requested from the certificate server that contains the UID used in the example and the proxy will allow access to the resource.

      For other aspects of security tuning for the Sun ONE Proxy Server such as setting banners, caching size/configuration, denial of service (DoS) considerations and so forth, refer to "Increase Server Security" section in the Sun ONE Web Proxy Server 3.6 SP3 Administrator's Guide.

  • + Share This
  • 🔖 Save To Your Account